commit 40d18f7cfb64a806699545410858b655e76660e1
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue May 4 08:39:04 2010 +0000
- Fix dnssec-missing detection that was turned off by server selection.
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index b3a31fa..3a75d03 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -310,7 +310,7 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
struct delegpt_addr*
iter_server_selection(struct iter_env* iter_env,
struct module_env* env, struct delegpt* dp,
- uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_expected,
+ uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_lame,
int* chase_to_rd, int open_target, struct sock_list* blacklist)
{
int sel;
@@ -331,7 +331,7 @@ iter_server_selection(struct iter_env* iter_env,
if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT) {
verbose(VERB_ALGO, "chase to "
"blacklisted dnssec lame server");
- *dnssec_expected = 0;
+ *dnssec_lame = 1;
}
} else {
if(selrtt > USEFUL_SERVER_TOP_TIMEOUT*2) {
@@ -340,7 +340,7 @@ iter_server_selection(struct iter_env* iter_env,
}
if(selrtt > USEFUL_SERVER_TOP_TIMEOUT) {
verbose(VERB_ALGO, "chase to dnssec lame server");
- *dnssec_expected = 0;
+ *dnssec_lame = 1;
}
if(selrtt == USEFUL_SERVER_TOP_TIMEOUT) {
verbose(VERB_ALGO, "chase to blacklisted lame server");
diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
index a9f4247..d3870ec 100644
--- a/iterator/iter_utils.h
+++ b/iterator/iter_utils.h
@@ -80,7 +80,7 @@ int iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg);
* @param name: zone name (for lameness check).
* @param namelen: length of name.
* @param qtype: query type that we want to send.
- * @param dnssec_expected: set to 0, if a known dnssec-lame server is selected
+ * @param dnssec_lame: set to 1, if a known dnssec-lame server is selected
* these are not preferred, but are used as a last resort.
* @param chase_to_rd: set to 1 if a known recursion lame server is selected
* these are not preferred, but are used as a last resort.
@@ -92,7 +92,7 @@ int iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg);
*/
struct delegpt_addr* iter_server_selection(struct iter_env* iter_env,
struct module_env* env, struct delegpt* dp, uint8_t* name,
- size_t namelen, uint16_t qtype, int* dnssec_expected,
+ size_t namelen, uint16_t qtype, int* dnssec_lame,
int* chase_to_rd, int open_target, struct sock_list* blacklist);
/**
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 19b9a26..6f486bf 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -120,6 +120,7 @@ iter_new(struct module_qstate* qstate, int id)
iq->wait_priming_stub = 0;
iq->refetch_glue = 0;
iq->dnssec_expected = 0;
+ iq->dnssec_lame_query = 0;
iq->chase_flags = qstate->query_flags;
/* Start with the (current) qname. */
iq->qchase = qstate->qinfo;
@@ -1451,8 +1452,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
/* Select the next usable target, filtering out unsuitable targets. */
target = iter_server_selection(ie, qstate->env, iq->dp,
iq->dp->name, iq->dp->namelen, iq->qchase.qtype,
- &iq->dnssec_expected, &iq->chase_to_rd, iq->num_target_queries,
- qstate->blacklist);
+ &iq->dnssec_lame_query, &iq->chase_to_rd,
+ iq->num_target_queries, qstate->blacklist);
/* If no usable target was selected... */
if(!target) {
@@ -1530,10 +1531,14 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
}
/* We have a valid target. */
- if(iq->dnssec_expected) verbose(VERB_ALGO, "dnssec is expected");
- log_query_info(VERB_QUERY, "sending query:", &iq->qchase);
- log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name,
- &target->addr, target->addrlen);
+ if(verbosity >= VERB_QUERY) {
+ log_query_info(VERB_QUERY, "sending query:", &iq->qchase);
+ log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name,
+ &target->addr, target->addrlen);
+ verbose(VERB_ALGO, "dnssec status: %s%s",
+ iq->dnssec_expected?"expected": "not expected",
+ iq->dnssec_lame_query?" but lame_query anyway": "");
+ }
fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query));
outq = (*qstate->env->send_query)(
iq->qchase.qname, iq->qchase.qname_len,
@@ -1587,6 +1592,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
iq->num_current_queries--;
if(iq->response == NULL) {
iq->chase_to_rd = 0;
+ iq->dnssec_lame_query = 0;
verbose(VERB_ALGO, "query response was timeout");
return next_state(iq, QUERYTARGETS_STATE);
}
@@ -1599,7 +1605,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
* differently. No queries should be sent elsewhere */
type = RESPONSE_TYPE_ANSWER;
}
- if(iq->dnssec_expected && !(iq->chase_flags&BIT_RD)
+ if(iq->dnssec_expected && !iq->dnssec_lame_query &&
+ !(iq->chase_flags&BIT_RD)
&& type != RESPONSE_TYPE_LAME
&& type != RESPONSE_TYPE_REC_LAME
&& type != RESPONSE_TYPE_THROWAWAY
@@ -1615,7 +1622,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
type = RESPONSE_TYPE_LAME;
dnsseclame = 1;
}
- }
+ } else iq->dnssec_lame_query = 0;
/* see if referral brings us close to the target */
if(type == RESPONSE_TYPE_REFERRAL) {
struct ub_packed_rrset_key* ns = find_NS(
@@ -1764,7 +1771,6 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
/* Clear the query state, since this is a query restart. */
iq->deleg_msg = NULL;
iq->dp = NULL;
- iq->dnssec_expected = 0;
/* Note the query restart. */
iq->query_restart_count++;
diff --git a/iterator/iterator.h b/iterator/iterator.h
index 736af51..350fb1d 100644
--- a/iterator/iterator.h
+++ b/iterator/iterator.h
@@ -255,6 +255,12 @@ struct iter_qstate {
int dnssec_expected;
/**
+ * We are expecting dnssec information, but we also know the server
+ * is DNSSEC lame. The response need not be marked dnssec-lame again.
+ */
+ int dnssec_lame_query;
+
+ /**
* This is flag that, if true, means that this event is
* waiting for a stub priming query.
*/